US10133865B1ActiveUtility

Systems and methods for detecting malware

Assignee: SYMANTEC CORPPriority: Dec 15, 2016Filed: Dec 15, 2016Granted: Nov 20, 2018
Est. expiryDec 15, 2036(~10.4 yrs left)· nominal 20-yr term from priority
G06F 2221/034G06N 3/084G06N 3/045G06F 21/56G06N 3/0455G06N 3/08G06N 3/04G06N 3/0499G06N 3/09
94
PatentIndex Score
29
Cited by
9
References
17
Claims

Abstract

The disclosed computer-implemented method for detecting malware may include (1) identifying a plurality of programs represented in machine code, (2) deriving a plurality of opcode n-grams from opcode sequences within the plurality of programs, (3) training an autoencoder by using the plurality of opcode n-grams as input, (4) discovering a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams, and (5) classifying a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program. Various other methods, systems, and computer-readable media are also disclosed.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method for detecting malware, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
 identifying a plurality of programs represented in machine code; 
 deriving a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs; 
 training an autoencoder by using the plurality of opcode n-grams as input; 
 discovering a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; and 
 classifying a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 initializing a neural network with the set of features discovered within the autoencoder; 
 training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and 
 classifying the potentially malicious program using the trained neural network. 
 
 
     
     
       2. The computer-implemented method of  claim 1 , further comprising performing a security action on the potentially malicious program based on classifying the potentially malicious program as malicious. 
     
     
       3. The computer-implemented method of  claim 1 , wherein using the set of features discovered within the autoencoder to analyze the potentially malicious program comprises:
 extracting the set of features discovered within the autoencoder from the potentially malicious program; and 
 providing the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder. 
 
     
     
       4. The computer-implemented method of  claim 1 , wherein the plurality of opcode n-grams comprises machine code opcodes and not mnemonic-based instructions. 
     
     
       5. The computer-implemented method of  claim 1 , wherein the plurality of opcode n-grams comprises opcodes without accompanying operands. 
     
     
       6. The computer-implemented method of  claim 1 , deriving the plurality of opcode n-grams from the plurality of programs comprises excluding a subset of opcodes from the plurality of opcode n-grams. 
     
     
       7. The computer-implemented method of  claim 1 , wherein deriving the plurality of opcode n-grams from the plurality of programs comprises extracting a plurality of opcodes from a program within the plurality of programs without mapping the opcode to a mnemonic instruction. 
     
     
       8. A system for detecting malware, the system comprising:
 an identification module, stored in memory, that identifies a plurality of programs represented in machine code; 
 a derivation module, stored in memory, that derives a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs; 
 a training module, stored in memory, that trains an autoencoder by using the plurality of opcode n-grams as input; 
 a discovery module, stored in memory, that discovers a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; 
 a classification module, stored in memory, that classifies a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 initializing a neural network with the set of features discovered within the autoencoder; 
 training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and 
 classifying the potentially malicious program using the trained neural network; and 
 
 at least one physical processor configured to execute the identification module, the derivation module, the training module, the discovery module, and the classification module. 
 
     
     
       9. The system of  claim 8 , wherein the classification module further performs a security action on the potentially malicious program based on classifying the potentially malicious program as malicious. 
     
     
       10. The system of  claim 8 , wherein the classification module uses the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 extracting the set of features discovered within the autoencoder from the potentially malicious program; 
 providing the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder. 
 
     
     
       11. The system of  claim 8 , wherein the plurality of opcode n-grams comprises machine code opcodes and not mnemonic-based instructions. 
     
     
       12. The system of  claim 8 , wherein the plurality of opcode n-grams comprises opcodes without accompanying operands. 
     
     
       13. The system of  claim 8 , wherein the derivation module derives the plurality of opcode n-grams from the plurality of programs by excluding a subset of opcodes from the plurality of opcode n-grams. 
     
     
       14. The system of  claim 8 , wherein the derivation module derives the plurality of opcode n-grams from the plurality of programs by extracting a plurality of opcodes from a program within the plurality of programs without mapping the opcode to a mnemonic instruction. 
     
     
       15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
 identify a plurality of programs represented in machine code; 
 derive a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs; 
 train an autoencoder by using the plurality of opcode n-grams as input; 
 discover a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; and 
 classify a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 initializing a neural network with the set of features discovered within the autoencoder; 
 training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and 
 classifying the potentially malicious program using the trained neural network. 
 
 
     
     
       16. The non-transitory computer-readable medium of  claim 15 , wherein the one or more computer-readable instructions further cause the computing device to perform a security action on the potentially malicious program based on classifying the potentially malicious program as malicious. 
     
     
       17. The non-transitory computer-readable medium of  claim 15 , wherein the one or more computer-readable instructions cause the computing device to use the set of features discovered within the autoencoder to analyze the potentially malicious program by causing the computing device to:
 extract the set of features discovered within the autoencoder from the potentially malicious program; and
 provide the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder.

Join the waitlist — get patent alerts

Track US10133865B1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.